How to detect, mitigate and respond to Forged PAC attacks
Forged PAC is a privilege escalation method that allows an attacker to be able to forge the Privilege Account Certificate (PAC) in a Kerberos ticket to gain access to resources they didn’t previously have before.
Stealthbits’ products provide a multitude of ways to detect, mitigate, and respond to a Forged PAC attack.
Detection is possible using the Golden Ticket approach with Forged PAC information in the Kerberos TGT.
APPROACH #1
Kerberos TGT Contains Specific Groups
DESCRIPTION
Monitor for specific RID’s appearing in Kerberos PAC data that shouldn’t be there. By default, this only monitors the following groups:
PRODUCT: StealthINTERCEPT
APPROACH #2
Kerberos TGT Containing Groups of which the Account is not a Member
DESCRIPTION
Monitors group membership for accounts, as well as considers the Kerberos Ticket Lifetime, which drastically reduces false positives while allowing detection of all Forged PAC data.
This threat can be modified to only look at specific groups or all groups depending on customer requirements.
PRODUCT: StealthDEFEND
APPROACH #1
Reduce Domain Administrative Rights
DESCRIPTION
Review membership of privileged domain groups (e.g. Domain Admins, Enterprise Admins, Server Operators) and remove unnecessary members. These groups provide rights to access domain controllers.
PRODUCT: StealthAUDIT
APPROACH #2
DC Logon Groups
DESCRIPTION
Perform reviews of all domain groups which provide logon rights to domain controllers (e.g. Domain Admins, Server Operators) as the members of these groups can gain access to the Ntds.dit file which resides on the file system of the domain controller. Perform regular reviews and remove unnecessary members.
PRODUCT: StealthAUDIT
APPROACH #3
Secure Active Directory Permissions
DESCRIPTION
Review the following Active Directory permission applied at the domain level:
These rights provide attackers the ability to obtain the KRBTGT hash using the DCSync technique. Remove any unnecessary permissions.
APPROACH #4
Service Ticket Request with Weak Encryption
DESCRIPTION
Monitor for Kerberos ticket requests using weak encryption (RC4_HMAC_MD5). These tickets are obtained when requesting Kerberos tickets for a particular service principal name (SPN), and are returned encrypted with the password of the service account tied to that SPN.
PRODUCT: StealthDEFEND / StealthINTERCEPT
APPROACH #1
Purge Kerberos Tickets on Source and Target Machine
DESCRIPTION
Due to the ability of Forged Kerberos Tickets being able to have random usernames and passwords, it is not advisable to disable user accounts. To instead get rid of their access, a Kerberos Ticket Purge on both the source and the target machine should be done in case the target was compromised.
PRODUCT: StealthDEFEND
APPROACH #2
Disable Source Computer
DESCRIPTION
Disable the source computer that the Forged PAC originated from so it cannot authenticate more accounts and should be distrusted from the Domain/Forest.
PRODUCT: StealthDEFEND
APPROACH #3
Disable All Accounts which Authenticated to Source Computer in the Last X Hours
DESCRIPTION
Customers may choose to look at all authentications against the source machine for the last X hours, where X is the Kerberos Ticket Lifetime, and then disable all the accounts which have authenticated to it until the investigation of the Forged PAC has been resolved.
PRODUCT: StealthDEFEND
© 2022 Stealthbits Technologies, Inc.